website risk assessment/risk management

pma111 used Ask the Experts™
Are there any common risks that can be associated with a company website - we need to do a risk assessment to ensure we have plans/controls/processes in place for all common risks associated with a companies website - main ones I could think of were effective content management (e.g. no broken links, up to date information, compliant with accessibility standards for all user groups) to reduce the risk of customer dissatisfaction/reputational damage, availability, e.g. controls for minimising downtime for hardware failure etc, security, e.g. compromise of site/server etc. I suppose performance, e.g. ensure suitable platform/hardware could be another risk.
Watch Question

Do more with

Expert Office
EXPERT OFFICE® is a registered trademark of EXPERTS EXCHANGE®
Principal Software Engineer
Keep the web site outside the corporate network proper, in its own DMZ.  Better, co-host the web site or put it on a commercial hosting server so that it's not physically associated with your corporate LAN at all.

Up-to-date backups, which depends on the amount of risk you are willing to assume.  This might mean monthly, weekly, daily or even shorter intervals.

In a one-server environment, at least one warm-redundant server so one can take over immediately on failure of the primary.  In a multiple-server environment, continuous consistency checking between the servers so that any infected machine can be taken down quickly.

Hire a "gray hat" intrusion team periodically and have them attempt to disrupt the server operation.

Protection against DDoS.  You'll run into it eventually, best to address it right from the beginning.

Automatic IP lockout of troublesome IP blocks and individual addresses.

And so much more.
btanExec Consultant
Distinguished Expert 2018
Baseline controls should address minimally the OWASP top vulnerabilities esp the injection attacks like XSS, SQLi, Data exposure and use of vulnerable component as mentioned on CMS.
There are also the high impact web attack as shared by expert like DDOS at network and application level (see link for further assessment) and not forgetting the Web defacement (which may not be just visual changes but injected files stealthy into the server).
Also good to take a "reverse" view in event the web system lacks these basic control or checks

  1. Input and data validation (injection)
  2. Authentication & Authorization (unauthorized access)
  3. Configuration management (unhardened)
  4. Sensitive data (leakage)
  5. Session management (hijacking)
  6. Cryptography (tamper & intercept)
  7. Parameter manipulation (corruption I/p)
  8. Exception management (fingerprint state)
  9. Auditing and logging (delay detection)
Dr. KlahnPrincipal Software Engineer
btanExec Consultant
Distinguished Expert 2018

For author advice

Do more with

Expert Office
Submit tech questions to Ask the Experts™ at any time to receive solutions, advice, and new ideas from leading industry professionals.

Start 7-Day Free Trial